The Agent Governance Stack

No single framework covers agent governance end to end. That is the uncomfortable truth behind every enterprise AI governance program that tries to pick one standard and call it done. The NIST AI Risk Management Framework gives you a way to think about risk. ISO/IEC 42001:2023 gives you a certifiable management system. The EU AI Act (Regulation 2024/1689) creates binding legal obligations with real enforcement teeth. Each layer does something the others cannot, and skipping any of them leaves a structural gap that auditors, regulators, or incidents will eventually expose.

The problem compounds when you move from traditional AI to agentic AI. Traditional AI systems are largely reactive: they take an input, produce an output, and a human decides what to do next. AI agents are fundamentally different. They operate with varying levels of autonomy, use tools, maintain persistent memory, chain multi-step reasoning into action sequences, and interact with external systems at runtime. Every one of those capabilities creates governance surface area that existing frameworks were not originally designed to address. The agentic AI threat landscape maps the security risks these governance controls must mitigate.

That proactive nature is exactly what makes a single-framework approach insufficient. You need a voluntary framework to identify risks flexibly (NIST), a management system to operationalize controls and make them auditable (ISO), and a regulatory mapping to ensure legal compliance (EU AI Act). Stack them in sequence, and you get a governance architecture that actually works. Here is how each layer functions and how they connect.

The stack operates as three distinct but interdependent layers. NIST AI RMF sits at the base as the risk-thinking layer. ISO 42001 builds on top as the operational implementation layer. The EU AI Act sits at the apex as the legal compliance layer. Each layer feeds the next: NIST identifies and frames risks, ISO operationalizes risk treatment through auditable controls, and the EU AI Act mapping demonstrates that those controls satisfy binding regulatory requirements. Click each layer to see how it contributes.

Published in January 2023, the NIST AI RMF 1.0 (NIST AI 100-1) is designed for organizations "designing, developing, deploying, or using AI systems." It is not a compliance standard. It is a thinking tool. The NIST AI RMF Hub provides a comprehensive implementation reference for organizations working through the framework in detail. Its value lies in structuring how your organization identifies, analyzes, and prioritizes AI risks before you reach for specific controls or regulatory checklists.

The framework establishes seven characteristics of trustworthy AI: "valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed" (NIST AI 100-1, Section 3). These characteristics become the evaluation criteria that flow through every subsequent governance activity. For agents, each characteristic requires reinterpretation. Transparency for a chatbot means showing the prompt. Transparency for an autonomous agent means reconstructing a full chain of reasoning steps, tool invocations, and decision points across a multi-step execution trace.

The framework organizes risk management into four core functions. NIST explicitly notes that its suggested actions "do not constitute a checklist, nor are they necessarily an ordered set of steps" (NIST AI 100-1, Section 5). Risk management should be "continuous, timely, and performed throughout the AI system lifecycle dimensions." Click each function to explore how it applies to agent systems.

Where NIST gives you the conceptual model, ISO/IEC 42001:2023 gives you the management system. It "specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system within organizations" (ISO/IEC 42001:2023). The critical word is certifiable. The ISO 42001 Resource Center covers the certification pathway, implementation guidance, and how the standard integrates with existing management systems. ISO 42001 uses the Annex SL high-level structure, the same architecture behind ISO 27001 (information security) and ISO 9001 (quality management). Organizations already running those systems can integrate AI governance without building a parallel structure from scratch.

The standard follows the Plan-Do-Check-Act (PDCA) cycle. It requires organizations to "define and apply an AI risk assessment process" covering risk identification, analysis, and evaluation (Clause 6.1.2), then "define and apply an AI risk treatment process" to select appropriate options and determine controls (Clause 6.1.3). A Statement of Applicability (SoA) documents which Annex A controls apply to your specific context, similar to the SoA in ISO 27001.

ISO 42001 also introduces a requirement that NIST does not explicitly mandate: the AI system impact assessment, which evaluates "potential consequences of AI systems on individuals, groups of individuals, and societies" (Clause 6.1.4). For agent systems, this assessment must account for cascading impacts from autonomous decision chains, not just single-interaction outcomes.

The normative Annex A controls span ten domains: AI Policies (A.2), Internal Organization (A.3), Resources for AI Systems (A.4), Assessing Impacts (A.5), AI System Lifecycle (A.6), Data (A.7), Information (A.8), Use of AI Systems (A.9), and Third-Party Relationships (A.10). For agents, the most critical controls cluster around resource documentation (A.4.2-A.4.6), which maps directly to the Behavioral Bill of Materials concept; lifecycle controls including verification and validation (A.6.2.4), deployment (A.6.2.5), operation and monitoring (A.6.2.6), and event log recording (A.6.2.8); and third-party controls (A.10.2-A.10.4) that address agent-to-tool and agent-to-agent dependencies.

The EU AI Act (Regulation 2024/1689) is the legal enforcement layer. It "shall apply from 2 August 2026" as its main application date, with phased implementation: Chapters I and II (definitions and prohibited practices) applied from 2 February 2025; Chapter III Section 4, Chapter V, Chapter VII, Chapter XII, and Article 78 from 2 August 2025; and Article 6(1) with corresponding high-risk obligations from 2 August 2027 (Article 113).

The Act defines an AI system as "a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments" (Article 3(1)). That definition clearly encompasses agent systems. The "varying levels of autonomy" language and the reference to influencing "physical or virtual environments" describe exactly what agents do.

The Act uses a risk-based classification system with four tiers (explore the full text via the AI Act Explorer). For a deeper analysis of how agents specifically map to these classifications, see EU AI Act and Agents: High-Risk Classification and Compliance Requirements.

The Act distinguishes between providers ("a natural or legal person that develops an AI system or a general-purpose AI model and places it on the market or puts the AI system into service under its own name or trademark," Article 3(3)) and deployers ("a natural or legal person that uses an AI system under its authority," Article 3(4)). Both carry obligations. For enterprise agent deployments, you are almost certainly a deployer, and you may also be a provider if you have fine-tuned models, built custom agent orchestration, or modified an agent's behavior beyond what the original provider intended.

The concept of "reasonably foreseeable misuse" (Article 3(13)) takes on particular significance for agents. When an agent has tool access and multi-step reasoning, the space of foreseeable misuse expands dramatically compared to a single-turn chatbot. Your risk management system must account for this expanded surface.

The real power of the governance stack emerges when you map controls across all three frameworks. NIST has published an official mapping of NIST AI RMF to ISO/IEC 42001. We have extended that mapping to include the EU AI Act and agent-specific guidance across 50 control areas in our governance crosswalk dataset. Here are the key mapping points across the ten most critical domains for agent governance.

The crosswalk reveals a structural alignment that is not accidental. NIST published an official mapping of its AI RMF to ISO/IEC 42001, confirming that the two frameworks were designed to be complementary. The EU AI Act's requirements for high-risk systems (Articles 9 through 15 and Article 72) map cleanly onto ISO 42001's Annex A controls, which in turn trace back to NIST's four functions. The governance stack is not three separate compliance exercises; it is one integrated architecture viewed through three lenses.

Of the 50 control areas in the full crosswalk, approximately 22 are rated critical for agent applicability (agent autonomy fundamentally changes governance requirements), approximately 22 are rated high (substantial adaptation needed), and approximately 6 are rated medium. Zero are rated low. Every control area requires at least moderate adaptation when applied to agentic systems.

None of these three frameworks was written with agentic AI explicitly in mind. NIST AI RMF 1.0 predates the current wave of agent deployments. ISO 42001 addresses AI management systems generically. The EU AI Act's definition of AI systems encompasses agents, but its specific requirements were drafted primarily for traditional AI patterns. That means the governance stack must be interpreted and adapted for six capabilities that differentiate agents from conventional AI.

Addressing these challenges requires mapping agents to autonomy tiers, each demanding different governance intensity. The governance crosswalk references four tiers that directly influence how controls from all three frameworks are implemented.

Each tier maps to different NIST subcategories (GV-3.2 for human-AI configurations), different ISO 42001 controls (A.9.3 for responsible use objectives), and different EU AI Act obligations (Article 14 for human oversight of high-risk systems). The governance stack does not apply uniformly. It scales with autonomy.

The governance crosswalk also identifies four new organizational roles required for agent governance: agent owners who are accountable for agent behavior, agent operators who monitor runtime performance, tool custodians who manage tool access permissions, and escalation handlers who respond to agent anomalies. These roles have no direct equivalent in traditional AI governance structures.

Building an agent governance program is not a one-shot project. It is a continuous process that starts with organizational structure and matures through deployment and monitoring. The following nine-step sequence integrates controls from all three framework layers, with specific subcategory and article references so you can trace every step back to its source.

The governance principles that underpin every step: principle of least privilege by default, sandboxed execution environments, action confirmation for irreversible operations, rollback capabilities, circuit breakers for automatic shutdown on anomaly detection, and staged rollouts with progressive autonomy increases.

The governance stack is not a destination. It is infrastructure that you build once and operate continuously. The PDCA cycle in ISO 42001 is designed for exactly this: plan your agent governance, implement it, check results through internal audits and management reviews, then act on findings to improve. NIST reinforces this with its insistence that risk management be "continuous, timely, and performed throughout the AI system lifecycle dimensions."

Several practical realities shape how fast you can move. No framework explicitly addresses "agentic AI" by name yet. You are interpreting and adapting general AI governance requirements to a specific and rapidly evolving technology pattern. The EU AI Act has not yet been enforced, meaning there is no regulatory precedent for how agent systems will be classified or treated in practice. And ISO 42001 certification for agentic systems is still rare enough that public case studies are limited.

But that gap is exactly why the three-layer stack matters. Using NIST for flexible risk thinking protects you when agent capabilities evolve faster than standards committees can publish updates. ISO 42001's management system structure gives you auditable evidence that you are managing risk systematically, regardless of what specific agent capabilities you deploy. And mapping to the EU AI Act ensures that when enforcement begins in earnest, your compliance posture is already built on a documented foundation.

The Behavioral Bill of Materials (BBOM) is the bridge artifact that connects all three layers. It satisfies NIST GV-1.6 (AI system inventory), ISO A.4.2-A.4.6 and A.6.2.7 (resource and technical documentation), and EU AI Act Article 11 and Annex IV (technical documentation requirements). The BBOM "should document what each agent can do, not just what it is" (CW-006). For organizations starting their agent governance journey, the BBOM is the single most impactful first deliverable because it makes the abstract concrete: what does this agent actually have access to, what decisions can it make, and what happens when it goes wrong?

The technology is moving. The regulatory environment is solidifying. The organizations that build their governance stack now, before the EU AI Act's main application date of 2 August 2026, will have the operational maturity to deploy agents at scale when the compliance deadline arrives. The ones that wait will be building governance infrastructure under deadline pressure while their competitors are already in production. That is the strategic calculation behind the governance stack: invest in structure now, operate with confidence later.